According to researchers from the security company, the Moobot botnet operators began in late February 2020 to exploit a zero-day bug found in nine different models of fiber routers, both in the home market and for SMEs. This zero day was a bug that allows remote code execution taking advantage of an exploit. To compromise the security of the attacked device, it had to be used in conjunction with a second vulnerability.
Moobot is a new family of botnets based on the Mirai botnet, and whose specialty is IoT devices. The big difference of this botnet with respect to others that also specialize in the Internet of Things, is that it does not focus on looking for computers and devices that may have weak or default passwords and instead, it focuses on taking advantage of zero-day exploits , sometimes combined with each other. This, of course, raises the suspicion that their levels of effectiveness and danger are higher than those posed by other IoT botnets.
Unfortunately, now the firm Alien Labs saw an increase in the activity of the Mirai Moobot botnet that looks for a flaw in the Tenda routers. The canned s can be traced back to a new clandestine cyber malware domain Cyberium, which has recently been observed in a large amount of Mirai variant activity. However, the researchers were unable to say which threat actor was behind the scanning activity.
In addition, the attackers were looking for vulnerable Tenda routers that had a remote code execution problem (CVE-2020-10987). This rogue group seems to return to the same domain with a new subdomain for each new campaign. As security recommendations against Moobot, it is best to review the router configuration. More specifically if they have the latest version of the device firmware, and also if the default configuration of the device has, as default values, access accounts that should be disabled but are active. If so, it is best to restore the original configuration of the device, update its software if necessary and disable all access to it that is not necessary, as well as the accounts configured by default in the system.
Other reads:
Sysrv hello botnet looking for vulnerabilities
Lemon Duck – Botnet that Attacks Linux and Windows
